[wp-hackers] wp-admin folder and admin-ajax.php

Peter Westwood peter.westwood at ftwr.co.uk
Wed Aug 11 08:53:24 UTC 2010

On 9 Aug 2010, at 14:54, scribu wrote:

> On Mon, Aug 9, 2010 at 4:27 PM, Gavin Pearce <Gavin.Pearce at 3seven9.com>wrote:
>> Does anyone know of any plans or discussions, regarding a
>> "configuration" option for moving the wp-admin folder? Is it in the
>> pipeline?
> No discussions that I'm aware of.

Highly unlikely.

>> Working on hardening a WordPress install for a security conscious
>> client, I can't IP restrict the wp-admin folder, because admin-ajax.php
>> is sometimes required by the front-end. Seems a strange idea to me!
>> (Obviously ways around this, just seems a strange way of doing things -
>> maybe someone can explain why?).
>> Can't find a ticket open for either of the above, but maybe I'm being
>> blind!
> A front-end ajax handler has been proposed before:
> http://core.trac.wordpress.org/ticket/12400

We toyed for a very short time with a front end ajax handler and the problem is that for significantly important security reasons we send different cookies for front end page views than we do for admin ones.

Basically on the front end we have a cookie to say that you are logged in but that doesn't actually authorise you to perform any actions and for the admin we have the authorisation cookie.

This makes it much easier to ensure that a site is well protected against XSS issues allowing people to steal your cookies.

If you have a plugin that is using admin-ajax for something which doesn't require authentication then it should likely be rewritten to not require access to admin-ajax otherwise you want it to use it for the improved security.


Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5

More information about the wp-hackers mailing list